[PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

Date

Mon, 22 May 2017 13:57:04 +0200

This is a preparation patch for the module auto-load restriction feature.

In order to restrict module auto-load operations we need to check if thecaller has CAP_SYS_MODULE capability. This allows to align securitychecks of automatic module loading with the checks of the explicit operations.

However for "netdev-%s" modules, they are allowed to be loaded ifCAP_NET_ADMIN is set. Therefore, in order to not break this assumption,and allow userspace to only load "netdev-%s" modules with CAP_NET_ADMINcapability which is considered a privileged operation, we have twochoices: 1) parse "netdev-%s" alias and check the capability or 2) handthe capability form request_module() to security_kernel_module_request()hook and let the capability subsystem decide.

After a discussion with Rusty Russell [1], the suggestion was to passthe capability from request_module() to security_kernel_module_request()for 'netdev-%s' modules that need CAP_NET_ADMIN.

The patch does not update request_module(), it updates the internal__request_module() that will take an extra "allow_cap" argument. Ifpositive, then automatic module load operation can be allowed.

__request_module() will be only called by networking code which is theexception to this, so we do not break userspace and CAP_NET_ADMIN cancontinue to load 'netdev-%s' modules. Other kernel code should continueto use request_module() which calls security_kernel_module_request() andwill check for CAP_SYS_MODULE capability in next patch. Allowing morecontrol on who can trigger automatic module loading.

This patch updates security_kernel_module_request() to take the'allow_cap' argument and SELinux which is currently the only user ofsecurity_kernel_module_request() hook.